CVE-2025-38658

In the Linux kernel, the following vulnerability has been resolved:

nvmet: pci-epf: Do not complete commands twice if nvmetreqinit() fails

Have nvmetreqinit() and req->execute() complete failed commands.

Description of the problem: nvmetreqinit() calls __nvmetreqcomplete() internally upon failure, e.g., unsupported opcode, which calls the "queueresponse" callback, this results in nvmetpciepfqueueresponse() being called, which will call nvmetpciepfcompleteiod() if datalen is 0 or if dmadir is different from DMATODEVICE. This results in a double completion as nvmetpciepfexeciodwork() also calls nvmetpciepfcompleteiod() when nvmetreqinit() fails.

Steps to reproduce: On the host send a command with an unsupported opcode with nvme-cli, For example the admin command "security receive" $ sudo nvme security-recv /dev/nvme0n1 -n1 -x4096

This triggers a double completion as nvmetreqinit() fails and nvmetpciepfqueueresponse() is called, here iod->dmadir is still in the default state of "DMANONE" as set by default in nvmetpciepfallociod(), so nvmetpciepfcompleteiod() is called. Because nvmetreqinit() failed nvmetpciepfcompleteiod() is also called in nvmetpciepfexeciod_work() leading to a double completion. This not only sends two completions to the host but also corrupts the state of the PCI NVMe target leading to kernel oops.

This patch lets nvmetreqinit() and req->execute() complete all failed commands, and removes the double completion case in nvmetpciepfexeciod_work() therefore fixing the edge cases where double completions occurred.